b'Audit Report\n\n\n\n\nOIG-10-032\nManagement Letter for Fiscal Year 2009\nAudit of the Office of Thrift Supervision\xe2\x80\x99s Financial Statements\n\nJanuary 19, 2010\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0c                                     DEPARTMENT OF THE TREASURY\n                                           W ASHINGTON, D.C. 20220\n\n\n\n\n     OFFICE OF\nINSPECTOR GENERAL\n                                             January 19, 2010\n\n\n            MEMORANDUM FOR JOHN E. BOWMAN, ACTING DIRECTOR\n                           OFFICE OF THRIFT SUPERVISION\n\n            FROM:                 Michael Fitzgerald\n                                  Director, Financial Audits\n\n            SUBJECT:              Management Letter for Fiscal Year 2009\n                                  Audit of the Office of Thrift Supervision\xe2\x80\x99s\n                                  Financial Statements\n\n\n            I am pleased to transmit the attached management letter in connection with the\n            audit of the Office of Thrift Supervision\xe2\x80\x99s (OTS) fiscal year 2009 financial\n            statements. Under a contract monitored by the Office of Inspector General, Lani Eko\n            & Company, CPAs, PLLC (Lani Eko), an independent certified public accounting firm,\n            performed an audit of the financial statements of OTS as of September 30, 2009,\n            and for the year then ended. The contract required that the audit be performed in\n            accordance with generally accepted government auditing standards; applicable\n            provisions of Office of Management and Budget Bulletin No. 07-04, Audit\n            Requirements for Federal Financial Statements, as amended; and the GAO/PCIE\n            Financial Audit Manual.\n\n            As part of its audit, Lani Eko issued and is responsible for the accompanying\n            management letter that discusses certain matters involving internal control and its\n            operation that were identified during the audit but were not required to be included\n            in the auditor\xe2\x80\x99s reports.\n\n            In connection with the contract, we reviewed Lani Eko\xe2\x80\x99s letter and related\n            documentation and inquired of its representatives. Our review disclosed no instances\n            where Lani Eko did not comply, in all material respects, with generally accepted\n            government auditing standards.\n\n            Should you have any questions, please contact me at (202) 927-5789, or a member\n            of your staff may contact Mark S. Levitt, Manager, Financial Audits at\n            (202) 927-5076.\n\n            Attachment\n\x0c          2009\nComments on Internal Control\n   and Other Matters\n\n\n\n\n   Office of Thrift\n    Supervision\n\x0c                 INDEPENDENT AUDITOR\xe2\x80\x99S MANAGEMENT LETTER\n\n\n\nTo the Inspector General\nU.S. Department of the Treasury\n\nWe have audited the financial statements of the U.S. Department of the Treasury, Office of\nThrift Supervision (OTS) as of and for the years ended September 30, 2009 and 2008. In\nplanning and performing our audit, we considered the OTS\xe2\x80\x99 internal control over financial\nreporting as a basis for designing our auditing procedures, obtained an understanding of the\ndesign effectiveness of internal controls, determined whether the internal controls have been\nplaced in operation, assessed control risk, and performed tests of the OTS\xe2\x80\x99 internal controls for\nthe purpose of expressing our opinion on the financial statements, but not for the purpose of\nexpressing an opinion on the effectiveness of the OTS\xe2\x80\x99 internal control over financial reporting.\n\nWe noted certain matters involving internal control that are presented in the attachment to this\nletter for your consideration. These findings and recommendations, all of which have been\ndiscussed with the appropriate members of management, are intended to improve the OTS\xe2\x80\x99\ninternal controls or result in other operating efficiencies.\n\nOTS\xe2\x80\x99 responses to our findings and recommendations have not been subjected to the auditing\nprocedures applied in the audit of the financial statements and, accordingly, we express no\nopinion on them.\n\nThis report is intended solely for the information and use of the Inspector General of the U.S.\nDepartment of the Treasury, the management of the OTS, the OMB, the Government\nAccountability Office and Congress and is not intended to be and should not be used by anyone\nother than these specified parties.\n\n\n\n\nOctober 30, 2009\nAlexandria, Virginia\n\x0cAttachment\n\n\n                                     Office of Thrift Supervision\n                 FY 2009 Financial Statement Audit Comments and Recommendations\n\n\n   1. Oversight of Travel Expenses\n\nCONDITION\nDuring our testing of disbursements, we reviewed a sample of 37 travel vouchers and noted that\n29 travel vouchers had no documented evidence of official review and approval. We also noted\nthat mileage reimbursements for travel by OTS staff and consultants were not supported to\nensure that the mileage amount claimed was accurate and valid.\n\nLEC reviewed travel voucher categories that are eligible for management review under current\nOTS policies and procedures. Although reviews of travel vouchers were performed, we noted\ninstances of reviews that were performed 5 to 11 months after the travel end dates.\n\nCAUSE\nDuring FY 2009, OTS management eliminated the requirement that OTS managers review or\napprove travel vouchers. In addition, OTS employees and consultants are not required to submit\nsupporting documentation with their claims for travel reimbursements.\n\nCRITERIA\nGovernment Accountability Office\xe2\x80\x99s (GAO) Standards for Internal Control in the Federal\nGovernment states that control activities occur at all levels and functions of the entity. They\ninclude a wide range of diverse activities such as approvals, authorizations, verifications,\nreconciliations, performance reviews, maintenance of security, and the creation and maintenance\nof related records which provide evidence of execution of these activities as well as appropriate\ndocumentation.\n\nEFFECT\nWithout proper OTS management oversight of travel expense reimbursements, OTS is\nsusceptible to risk of fraud, waste and/or abuse. In FY 2009, OTS travel and transportation\nexpenses totaled approximately $18 million.\n\nRECOMMENDATION\nWe recommend that OTS develop and implement procedures to ensure adequate oversight of\ntravel expenses.\n\nMANAGEMENT RESPONSE\nBeginning in fiscal year 2010, OTS managers or managers\xe2\x80\x99 designees, within 30 days of claims\nbeing filed, will review 100% of travel claims and certify that the travel was authorized, valid,\nand approved for official business. Finance and Acquisition Management will continue to audit\nall claims over $2,500, all claims for international travel, all claims for travel by executive\nmanagement, and 5% of the remaining claims.\n\n\n\n\n                                               2\n\x0cAttachment\n\n\n                                Office of Thrift Supervision\n                FY 2009 Financial Statement Audit Comments and Recommendations\n\n\n   2. Access Controls Over Computer Resources\n\nCONDITION\nWhile OTS management had made significant improvements in logical access controls over the\nGeneral Support System (GSS) and the OTS information resources, we noted the following\nlogical access controls where additional improvements are needed to protect sensitive agency\ndata. Specifically, improvements are needed in the following areas:\n\n   \xef\x82\xa7   Review of Access Authorizations - There are no documented procedures for\n       provisioning user access to the financial applications managed by internal OTS logical\n       access provisioning tools, and\n\n   \xef\x82\xa7   User Account Reviews - Periodic reviews to determine if system access is still\n       appropriate are not performed for the financial applications managed by internal OTS\n       logical access provisioning tools.\n\nCAUSE\nOTS does not document logical access control policies and procedures for the significant\nfinancial applications. OTS does not document physical access control policies and procedures\nfor the data centers that support the significant financial applications.\n\nCRITERIA\nNIST Special Publication 800-53 (Revision 2), Recommended Security Controls for Federal\nInformation Systems - ACCESS CONTROL POLICY AND PROCEDURES: The organization\ndevelops, disseminates, and periodically reviews/updates: (i) a formal, documented, access\ncontrol policy that addresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance; and (ii) formal, documented\nprocedures to facilitate the implementation of the access control policy and associated access\ncontrols.\n\nEFFECT\nBy not enforcing adequate logical and physical access controls, the OTS exposed the General\nSupport System (GSS), National Application Tracking System, Assessment Billing System and\nFurniture, Fixtures and Equipment System (Inventory Tracking System) to the risk that\nunauthorized individuals could gain access to sensitive information. Additionally, OTS\xe2\x80\x99 ability\nto protect sensitive data or equipment from theft or inadvertent disclosure would be\ncompromised if an unauthorized person entered a restricted facility containing sensitive OTS\nequipment and data.\n\n\n\n\n                                              3\n\x0cAttachment\n\n\n                                 Office of Thrift Supervision\n                 FY 2009 Financial Statement Audit Comments and Recommendations\n\n\nRECOMMENDATION\nWe recommend that OTS: a) document its procedures of access authorizations for its financial\napplications; and b) perform periodic user account reviews to determine if system access is still\nappropriate for its financial applications;\n\nMANAGEMENT RESPONSE\nWe believe that OTS\xe2\x80\x99s policies for physical and logical access are adequate, well documented,\nand effectively enforced. Directive 12111, Physical and Environmental Protection Policy,\n8/17/09, addresses physical access controls. Directive 12112, Access Control Policy, 8/17/19,\naddresses logical access controls. Together, these policies require permission from system\nowners for access to systems and periodic review of access lists. Physical controls include\ntracking access to and escorting uncleared personnel in controlled spaces.\n\nWe believe that, OTS\xe2\x80\x99s procedures, though sufficient, are informal and can be strengthened\nthrough documentation. Our CIO will be tasked to produce written procedures for implementing\nthe access control policies. Additionally, Information, Technology, and Facilities (ITF) staff will\ntest the procedures and ensure that access control lists are periodically reviewed by system\nowners. ITF Staff with access to controlled spaces will be instructed to log their entrances and\nexits, and the Director of Security will be assigned responsibility for reviewing logs of access to\ncontrolled spaces.\n\n\n\n\n                                                4\n\x0c'